September 27, 2022

U.S. Retrieves Millions in Ransom Paid to Colonial Pipeline Hackers

WASHINGTON—U.S. authorities have recovered millions of dollars in digital currency paid to the hackers who hit a major East Coast fuel pipeline with a ransomware attack last month, in a law-enforcement operation that officials said demonstrated progress undermining criminals’ ability to disrupt American commerce and critical infrastructure for profit.

Investigators seized about 64 bitcoin, valued at roughly $2.3 million, from a virtual wallet—the alleged proceeds from the ransom hack carried out by a suspected Russian-based criminal gang on Colonial Pipeline Co., the Justice Department said.

“The extortionists will never see this money,”

Stephanie Hinds,

acting U.S. attorney for the Northern District of California, where the seizure warrant was obtained, told reporters. “This case demonstrates our resolve to develop methods to prevent evildoers from converting new methods of payment into tools and extortion for undeserved profits.”

Senior Biden administration officials have in recent weeks characterized ransomware, in which criminals take an organization’s data or computer system hostage for ransom, as an urgent national-security threat. In just the past month ransomware attackers linked to Russia have threatened the nation’s fuel and meat supply, and poorly defended school systems, hospitals and local governments have suffered increasingly frequent ransomware attacks.

Ransomware has also become a diplomatic issue for the U.S., because the perpetrators of the attacks often appear to reside in countries unwilling to extradite them to the U.S., like Russia or North Korea.

President Biden

and other officials have said there is no evidence the Russian government was involved in the Colonial attack, but have condemned Russian President

Vladimir Putin

for allowing criminal hackers to target the U.S. freely. Mr. Biden intends to discuss the matter with Mr. Putin at their summit in Geneva on June 16.

A cyberattack on the U.S.’s largest fuel pipeline on May 7 forced a shutdown that triggered a spike in gas prices and shortages in parts of the Southeast. WSJ explains just how vulnerable the nation’s critical energy infrastructure is to attack. Photo illustration: Liz Ornitz/WSJ

“One of the things that President Biden will make clear to President Putin when he sees him is that states cannot be in the business of harboring those who are engaged in these kinds of attacks,” Secretary of State

Antony Blinken

said Monday in congressional testimony.

Mr. Putin has broadly denied Western accusations about cyberattacks originating in Russia and said on Russian state television last week that it was absurd to suggest any Russian involvement in recent ransomware attacks

Last month Colonial Pipeline, which transports gasoline, diesel, jet fuel and other refined products from the Gulf Coast to Linden, N.J., was shut down for six days as the company responded to the ransomware attack on its business systems. The company voluntarily took the pipeline offline due to concerns the hack would spread, and the stoppage spurred a run on gasoline along parts of the East Coast that pushed prices to the highest levels in more than six years and left thousands of gas stations without fuel.

The FBI officially discourages victims from paying ransoms because doing so can fuel a booming criminal marketplace and often won’t actually result in the restoration of the frozen computer systems. But the pipeline company’s Chief Executive Officer

Joseph Blount

told The Wall Street Journal the company paid $4.4 million to the hackers because executives were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back online.

The ransom amounted to 75 bitcoin, a person familiar with the payment said, of which 64 was recovered. Because the cryptocurrency fluctuates dramatically in value, the dollar value recovered was only a little more than half the dollar value of the ransom payment.

In a statement Monday, Mr. Blount said Colonial plans to keep sharing “intelligence and learnings” with federal agencies, and that its goal was to help other critical infrastructure companies harden their cyber defenses and collaborate across industries to thwart attacks.

“Holding cyber criminals accountable and disrupting the ecosystem that allows them to operate is the best way to deter and defend against future attacks of this nature,” Mr. Blount said.

Mr. Blount is scheduled to testify at the Senate about the hack and pipeline outage on Tuesday and again before a House committee on Wednesday.

On Monday investigators obtained a seizure warrant from a magistrate judge in northern California that enabled authorities working with Colonial Pipeline to capture the bitcoin from the virtual wallet linked to the hacking group.

The FBI had tracked Colonial’s ransom payment across several bitcoin addresses in May, court documents show.

Law-enforcement officials often work with private-sector analysts who can track cryptocurrency transactions across public ledgers known as blockchains. By mapping clusters of virtual wallets and cross-referencing their transactions with intelligence about hacks, analysts say, they are able to reliably trace many ransom payments.

Upon receiving payouts from victims such as Colonial, hackers often switch funds among several wallets to cover their tracks or pay affiliates, as well as convert ransoms to different cryptocurrencies or hard money at exchanges. Law-enforcement officials can step in with search warrants and seize funds from the exchanges, analysts say.

“Because bitcoin transactions are available on a publicly distributed ledger, in many cases law enforcement can trace bitcoin payments and track stolen funds,” said Sujit Raman, a former senior Justice Department official. “When cybercriminals use bitcoin, that can sometimes be more traceable than just using cash or fiat currency.”

U.S. law enforcement have previously seized ransomware proceeds and other cryptocurrency sums, including more than $1 million tied to a Palestinian militant group last year. Officials Monday indicated they intended to more frequently seek to recover funds paid to ransomware operators to disincentivize the activity.

Fuel tanks at a Colonial Pipeline station in Washington.



Photo:

Drew Angerer/Getty Images

Administration officials and some lawmakers have in recent weeks called for consideration of tighter regulations of digital currencies, noting they have enabled ransomware groups and other criminals to extort victims.

The FBI has previously blamed the Colonial Pipeline attack on DarkSide, a prolific ransomware group that U.S. officials say is based in Russia and that security researchers say has made tens of millions over the past year, often by sharing its malware with affiliate criminals and then splitting proceeds. Tom Robinson, co-founder of blockchain analytics firm Elliptic, which tracked the Colonial-to-DarkSide transaction, said the amount seized appears to represent DarkSide affiliates’ share of the stash.

Investigators have identified over 90 victims of DarkSide ransomware across several critical infrastructure sectors, including manufacturing, legal, insurance, healthcare and energy, FBI Deputy Director Paul Abbate said Monday.

DarkSide told associates last month that it was shutting down in the wake of the pipeline hack, citing pressure from U.S. law enforcement. Security researchers, however, said it is not uncommon for ransomware groups such as DarkSide to disband, only to pop up later under a different name.

Colonial Pipeline Shutdown

Write to Dustin Volz at [email protected], Sadie Gurman at [email protected] and David Uberti at [email protected]

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

in Tech
Related Posts

Japan’s In-Home Robot Experiment Short Circuits

June 29, 2021

June 29, 2021

TOKYO—Japan’s humanoid robots are struggling to find homes. SoftBank Group Corp.’s robotics unit said Tuesday it stopped manufacturing a humanlike...

Apple’s Moves to Tighten Flow of User Data Leave Advertisers Anxious

June 8, 2021

June 8, 2021

Digital advertisers are studying new Apple Inc. AAPL 0.67% measures that they fear will limit access to data about users,...

EU and U.K. Open Antitrust Probes Into Facebook

June 4, 2021

June 4, 2021

The European Union and the U.K. opened formal antitrust investigations into Facebook Inc.’s FB -0.94% classified-ads service Marketplace, ramping up...

Tesla Shareholder Panasonic Sells Stake for $3.6 Billion

June 25, 2021

June 25, 2021

TOKYO— Tesla Inc.’s TSLA 1.09% leading battery supplier is no longer a Tesla shareholder. Panasonic Corp. PCRFY 2.20% said Friday...

Lordstown Motors Executives Sold Stock Ahead of Reporting Results and Before Troubles Came to Light

June 21, 2021

June 21, 2021

Several top executives at Lordstown Motors Corp. RIDE 3.30% sold off chunks of stock in the electric-truck startup ahead of...

Teamsters Union Votes to Help Organize Amazon Workers

June 24, 2021

June 24, 2021

One of America’s largest labor unions passed a resolution Thursday designed to aid Amazon. AMZN -1.46% com Inc. workers in...

China’s ‘Uber for Trucks’ Heads for Billion-Dollar-Plus U.S. IPO

May 28, 2021

May 28, 2021

Full Truck Alliance Co., a Chinese startup that provides an Uber-like service for the trucking industry, has filed for a...

The Executive Who Helps Salesforce Stay True to Its Founders’ Philanthropic Pledge

June 19, 2021

June 19, 2021

Ebony Beckwith occupies a powerful perch as chief philanthropy officer of Salesforce. com Inc. and head of its nonprofit foundation....

Pinterest Vows to Add More Female Executives, Workers of Color

May 18, 2021

May 18, 2021

Pinterest Inc. PINS 0.77% has set new targets for increasing the number of women in leadership and improving racial and...

Rivian Automotive Boosts IPO Price Range

November 5, 2021

November 5, 2021

Rivian Automotive Inc. increased the expected price of its initial public offering on Friday, with one of the biggest deals...

Bitcoin Creator Satoshi Nakamoto Could Be Unmasked at Florida Trial

November 14, 2021

November 14, 2021

A seemingly run-of-the-mill trial is playing out in Florida: The family of a deceased man is suing his former business...

The Elizabeth Holmes Trial: Theranos Founder Takes the Stand

November 20, 2021

November 20, 2021

SAN JOSE, Calif.—Elizabeth Holmes took the witness stand Friday afternoon to defend herself against criminal-fraud charges tied to the failure...

Government Antitrust Lawsuits Against Facebook Thrown Out by Federal Judge

June 28, 2021

June 28, 2021

WASHINGTON—A federal judge on Monday dismissed antitrust lawsuits the federal government and most states filed against Facebook Inc., a major...

Drones Flying Near Airports, Infrastructure Prompt U.S. Action

May 20, 2021

May 20, 2021

Federal agencies are scrambling to address a surge in the use of consumer drones as the unmanned aircraft crowd the...

Didi Sets Valuation Target of $62 Billion to $67 Billion in IPO

June 24, 2021

June 24, 2021

Didi Global Inc., the Beijing-based ride-hailing company, is targeting a valuation of $62 billion to $67 billion in its IPO,...